[ARFC] Bug Bounty Program on Sherlock

3 days left to voteActive vote

[ARFC] Bug Bounty Program on Sherlock

Summary

Aave Labs proposes launching a dedicated Aave V4 bug bounty program on the Sherlock platform. The objective is to add an always-on security reporting channel for Aave V4, with a triage setup designed to reduce spam and route high-severity reports with high urgency.

Motivation

Aave V4 introduces new architecture and new surfaces. In addition to audits, formal verification, and other security review tracks, an ongoing bug bounty provides a complementary path for independent researchers to report issues during late-stage testing, launch, and post-launch.

Why Sherlock

Sherlock positions its bug bounty platform around three operational goals: strong visibility to experienced researchers, low spam volumes, and actionable triage with clear routing.

Sherlock has previously supported security work with Aave contributors across Aave V3 and in early Aave V4 efforts, which builds shared context on reporting standards, triage expectations, and escalation paths. Sherlock notes that its broader platform combines audit competitions with a bug bounty program, and that the bounty platform is designed to keep response workflows lightweight for core contributors while still surfacing high-severity reports quickly.

Spam resistance and operational focus

A practical challenge for prominent programs is high volumes of low-quality submissions, including AI-generated reports, which can consume significant contributor time and degrade signal-to-noise. Sherlock’s model uses stake-gated submission rules for High and Critical reports while keeping Medium and Low submissions open to everyone, paired with a defined triage workflow and periodic summaries.

Specification

This ARFC proposes launching a dedicated Aave V4 bug bounty program on Sherlock as an always-on reporting channel for Aave V4. The program is scoped specifically to Aave V4 and covers the final list of in-scope repositories, contracts, and environments included in the launch configuration.

Sherlock would provide self-service program configuration across scope, severity criteria, payout amounts, and notification routing, with support for standard and custom integrations across Aave’s preferred operating channels.

Triage and Routing

The program would operate under the following submission and triage structure:

High and Critical submissions

Require a 250 USDC stake at submission
Return the stake for valid reports alongside any bounty payout
Forfeit the stake for invalid reports to offset triage costs

Medium and Low submissions

Remain open without a stake requirement
Cannot later be upgraded into High or Critical payout tiers

Report handling

High and Critical reports follow an expedited routing path
Sherlock notifies Aave’s designated responders through agreed communication channels
Medium and Low reports move through Sherlock’s standard review flow
Aave keeps visibility into submissions and outcomes through the Sherlock dashboard

Pricing and Payout

Sherlock would provide hosting, triage, and program administration without a fixed annual platform fee, and instead receive a 5% fee on bounty payouts. :contentReference[oaicite:1]{index=1}

Annual Payouts	5% Fee
$100,000	$5,000
$200,000	$10,000
$300,000	$15,000
$450,000	$22,500
$500,000	$25,000

Scope and Severity Criteria

Severity Level	Reward Range
Critical	$25,000 - $500,000
High	$5,000 - $25,000
Medium	Flat $5,000
Low	Flat $1,000

These amounts can be increased as the protocol is hardened and more TVL is increased.

Scope

Hub

src/hub/Hub.sol
src/hub/HubConfigurator.sol
src/hub/AssetInterestRateStrategy.sol
All base contracts they inherit from and libraries used

Spoke

src/spoke/AaveOracle.sol
src/spoke/instances/SpokeInstance.sol
src/spoke/instances/TokenizationSpokeInstance.sol
src/spoke/instances/TreasurySpokeInstance.sol
src/spoke/SpokeConfigurator.sol
All base contracts they inherit from and libraries used

Periphery

src/position-manager/NativeTokenGateway.sol
src/position-manager/SignatureGateway.sol
src/position-manager/ConfigPositionManager.sol
src/position-manager/GiverPositionManager.sol
src/position-manager/TakerPositionManager.sol
All base contracts they inherit from and libraries used
src/access/AccessManagerEnumerable.sol

Additional coverage

Use and integration of external dependencies, excluding their internal code

Next Steps

If consensus is reached on this ARFC, the proposal can proceed to Snapshot with the finalized commercial structure, scope, and payout framework.
If Snapshot passes, an AIP can then be submitted to approve the Sherlock engagement and authorize implementation of the Aave V4 bug bounty program.

Disclaimer

This ARFC is posted by Aave Labs in its capacity as a contributor proposing an approach for Aave V4 security operations. Decisions and approvals belong to the DAO via the standard governance process.

Sherlock is a third-party service provider. Final commercial terms and execution details would be presented in an ARFC and, if progressed, implemented via an AIP.

Copyright

Off-Chain Vote

YAE

9.6K AAVE100%

NAY

0 AAVE0%

Abstain

0 AAVE0%

Download mobile app to vote

Discussion

[ARFC] Bug Bounty Program on Sherlock

Timeline

Mar 23, 2026Proposal created

Mar 24, 2026Proposal vote started

Mar 24, 2026Proposal updated

[ARFC] Bug Bounty Program on Sherlock

Summary

Motivation

Why Sherlock

Sherlock positions its bug bounty platform around three operational goals: strong visibility to experienced researchers, low spam volumes, and actionable triage with clear routing.

Spam resistance and operational focus

Specification

Triage and Routing

The program would operate under the following submission and triage structure:

High and Critical submissions

Require a 250 USDC stake at submission
Return the stake for valid reports alongside any bounty payout
Forfeit the stake for invalid reports to offset triage costs

Medium and Low submissions

Remain open without a stake requirement
Cannot later be upgraded into High or Critical payout tiers

Report handling

High and Critical reports follow an expedited routing path
Sherlock notifies Aave’s designated responders through agreed communication channels
Medium and Low reports move through Sherlock’s standard review flow
Aave keeps visibility into submissions and outcomes through the Sherlock dashboard

Pricing and Payout

Sherlock would provide hosting, triage, and program administration without a fixed annual platform fee, and instead receive a 5% fee on bounty payouts. :contentReference[oaicite:1]{index=1}

Annual Payouts	5% Fee
$100,000	$5,000
$200,000	$10,000
$300,000	$15,000
$450,000	$22,500
$500,000	$25,000

Scope and Severity Criteria

Severity Level	Reward Range
Critical	$25,000 - $500,000
High	$5,000 - $25,000
Medium	Flat $5,000
Low	Flat $1,000

These amounts can be increased as the protocol is hardened and more TVL is increased.

Scope

Hub

src/hub/Hub.sol
src/hub/HubConfigurator.sol
src/hub/AssetInterestRateStrategy.sol
All base contracts they inherit from and libraries used

Spoke

src/spoke/AaveOracle.sol
src/spoke/instances/SpokeInstance.sol
src/spoke/instances/TokenizationSpokeInstance.sol
src/spoke/instances/TreasurySpokeInstance.sol
src/spoke/SpokeConfigurator.sol
All base contracts they inherit from and libraries used

Periphery

src/position-manager/NativeTokenGateway.sol
src/position-manager/SignatureGateway.sol
src/position-manager/ConfigPositionManager.sol
src/position-manager/GiverPositionManager.sol
src/position-manager/TakerPositionManager.sol
All base contracts they inherit from and libraries used
src/access/AccessManagerEnumerable.sol

Additional coverage

Use and integration of external dependencies, excluding their internal code

Next Steps

If consensus is reached on this ARFC, the proposal can proceed to Snapshot with the finalized commercial structure, scope, and payout framework.
If Snapshot passes, an AIP can then be submitted to approve the Sherlock engagement and authorize implementation of the Aave V4 bug bounty program.

Disclaimer

This ARFC is posted by Aave Labs in its capacity as a contributor proposing an approach for Aave V4 security operations. Decisions and approvals belong to the DAO via the standard governance process.

Sherlock is a third-party service provider. Final commercial terms and execution details would be presented in an ARFC and, if progressed, implemented via an AIP.